Skip to main content
Top

Can Nastel Navigator Security Manager be integrated with LDAP (ActiveDirectory) server?

Authentication and authorization of Nastel Navigator Security Manager users for Apache Tomcat application server can be implemented by modifying XML files. See below for the modification steps.

web.xml

Perform the below updates on the web.xml file, located in AutoPilotM6\apache-tomcat\webapps\apodwsm\WEB-INF\web.xml.

  1. The following servlet stanza: 
    <servlet>
       <servlet-name>FacesServlet</servlet-name>
       <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
       <load-on-startup>1</load-on-startup>
    </servlet>
    should have <security-role-ref> definition as in: 
    <servlet>
       <servlet-name>FacesServlet</servlet-name>
       <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
       <load-on-startup>1</load-on-startup>
          <security-role-ref>
             <role-name>m6admin</role-name>
             <role-link>GrpMiddlewareSupport</role-link>
          </security-role-ref>
    </servlet>
    where GrpMiddlewareSupport is the name of the role (group) specified by the user.
  2. The following auth-constraint stanza of web.xml:
    <auth-constraint>
       <!-- Anyone with one of the listed roles may access this area -->
       <role-name>m6admin</role-name>
    </auth-constraint>
    should have one more role-name definition as in:
    <auth-constraint>
       <!-- Anyone with one of the listed roles may access this area -->
       <role-name>m6admin</role-name>
       <role-name>GrpMiddlewareSupport</role-name>
    </auth-constraint>
  3. Security role section at the end of web.xml file gets 3d role as in: 
    <security-role>
       <role-name>m6admin</role-name>
    </security-role>
    <security-role>
       <role-name>m6audit</role-name>
    </security-role>
    <security-role>
       <role-name>GrpMiddlewareSupport</role-name>
    </security-role>
    Some LDAP servers require fully qualified role name or distinguishedName of the role. Instead of GrpMiddlewareSupport, the 3 items mentioned above should use:
    CN=GrpMiddlewareSupport,CN=Users,DC=nastel1,DC=main

server.xml

Perform the below updates on the server.xml file located in AutoPilotM6\apache-tomcat\conf\server.xml.

  1. Comment out or delete this stanza: 
    <Resource name="UserDatabase" auth="Container"
       type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
       factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
       pathname="conf/tomcat-users.xml" />
  2. Realm stanza: 
    <Realm className="org.apache.catalina.realm.LockOutRealm">
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
          resourceName="UserDatabase"/>
    </Realm>
    should become: 
    <Realm className="org.apache.catalina.realm.JNDIRealm" 
    debug="99" 
    adCompat="true" 
    referrals="follow"
    connectionURL="ldap://11.0.0.1:389"
    connectionName="CN=John Doe,CN=Users,DC=nastel1,DC=main"
    connectionPassword="johndoepasswdgoeshere"
    userBase="CN=Users,DC=NASTEL1,DC=MAIN"
    userSearch="sAMAccountName={0}"
    userSubtree="true"
    userRoleName="member"
    roleBase="CN=Users,DC=NASTEL1,DC=MAIN"
    roleName="CN"
    roleSearch="(member={0})"
    roleSubtree="false" />

On some LDAP servers, 'memberOf' should replace 'member' in the two occurrences above.
If user John Doe is a member of GrpMiddlewareSupport he will be granted login, otherwise there will be a 403 condition.

context.xml

Perform the below updates on the context.xml file located in AutoPilotM6\apache-tomcat\webapps\apodwsm\META-INF\context.xml.

Delete or comment out the realm stanza:

<Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0"
resourceName="UserDatabase"
validate="true"/>

tomcat-users.xml

The file, AutoPilotM6\apache-tomcat\conf\tomcat-users.xml, should have all roles and usernames deleted or commented out.

<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="pwd" roles="tomcat"/>
-->

logging.properties

(Optional) If the user wants finer level logging to AutoPilotM6\apache-tomcat\logs\catalina.2021-05-03.log then the following lines should be added to AutoPilotM6\apache-tomcat\conf\logging.properties.

org.apache.catalina.realm.level = ALL
org.apache.catalina.realm.useParentHandlers = true
org.apache.catalina.authenticator.level = ALL
org.apache.catalina.authenticator.useParentHandlers = true
1catalina.org.apache.juli.FileHandler.bufferSize = -1
java.util.logging.ConsoleHandler.level = ALL
org.apache.catalina.level = FINEST
org.apache.catalina.realm.JNDIRealm.level = FINEST
org.apache.catalina.realm.JNDIRealm.useParentHandlers = true
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler

All modifications to the XML and properties files will be effective upon restarting Tomcat.

Related articles